r
/
nixos-configuration
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Setup the reconn service on a new machine (europa).

main
Joshua Potter 2024-04-12 11:13:15 -06:00
parent c9773a7d9e
commit 5c6e336e39
5 changed files with 126 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.sops.yaml
View File

@ -1,6 +1,7 @@
keys: keys:
- &admin_jrpotter age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62 - &admin_jrpotter age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62
- &server_thebe age1pjgqvdyzxz30rxvu3zysjpmxrjjsvklggfepswhmwdaunx0kg3vsfept24 - &server_thebe age1pjgqvdyzxz30rxvu3zysjpmxrjjsvklggfepswhmwdaunx0kg3vsfept24
- &server_europa age1z0rfzzfll963msxfschxn7m65pz5p8nuz9p3h940mhhfr6uxe5mqpl4dul
creation_rules: creation_rules:
- path_regex: .* - path_regex: .*
key_groups: key_groups:

11
flake.nix
View File

@ -49,6 +49,9 @@
thebe = { thebe = {
inherit (tapir) sops-nix; inherit (tapir) sops-nix;
}; };
europa = {
inherit (tapir) sops-nix;
};
}; };
}; };
@ -83,6 +86,14 @@
targetHost = "64.23.168.148"; targetHost = "64.23.168.148";
}; };
}; };
europa = {
imports = [ ./hive/europa ];
deployment = {
allowLocalDeployment = false;
targetHost = "147.182.255.90";
};
};
}; };
packages.${system}.digital-ocean = { packages.${system}.digital-ocean = {

31
hive/europa/default.nix Normal file
View File

@ -0,0 +1,31 @@
{ sops-nix, lib, ... }:
{
imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [
sops-nix.nixosModules.sops
../../digital-ocean/configuration.nix
../../services/reconn
];
networking = {
hostName = "europa";
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
};
programs.mosh.enable = true;
services = {
nginx.enable = true;
openssh.enable = true;
postgresql.enable = true;
};
security.acme = {
acceptTerms = true;
defaults.email = "jrpotter2112@gmail.com";
};
system.stateVersion = "23.11";
}

53
services/reconn/default.nix Normal file
View File

@ -0,0 +1,53 @@
{ system, pkgs, lib, ... }:
let
reconn-url = "git+https://git.jrpotter.com/r/reconn?rev=fa031b2507c625c54abca36fd3f86fc8338e8777";
reconn = (builtins.getFlake reconn-url).packages.${system}.app;
in
{
services = {
nginx.virtualHosts."www.hideandseek.live" = {
forceSSL = true;
enableACME = true;
serverAliases = [ "hideandseek.live" ];
locations."/" = {
recommendedProxySettings = true;
proxyPass = "http://127.0.0.1:4000";
};
};
postgresql = {
package = (pkgs.postgresql_15.withPackages (pkgs: [ pkgs.postgis ]));
ensureDatabases = [ "reconn" ];
authentication = lib.mkOverride 10 ''
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
'';
};
};
systemd.services.reconn = {
enable = true;
description = "Reconn Server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "postgresql.service" ];
requires = [ "network-online.target" "postgresql.service" ];
environment = {
DATABASE_URL = "ecto://postgres:postgres@localhost/reconn";
};
serviceConfig = {
Type = "exec";
EnvironmentFile = "/run/secrets/RECONN_SECRET_KEY_BASE";
ExecStartPre = "${reconn}/bin/migrate";
ExecStart = "${reconn}/bin/reconn start";
ExecStop = "${reconn}/bin/reconn stop";
ExecReload = "${reconn}/bin/reconn restart";
Restart = "on-failure";
};
};
sops = {
secrets.RECONN_SECRET_KEY_BASE = {
sopsFile = ./secrets.yaml;
};
};
}

30
services/reconn/secrets.yaml Normal file
View File

@ -0,0 +1,30 @@
RECONN_SECRET_KEY_BASE: ENC[AES256_GCM,data:uJa1Yb9YaoNtm7YH8Sn7lbG+NX2bBc8NAFaybyKRktMMnX3yBcEc8YviPXP/WYSakqq2DpmgJoUe4mciPDW3aadT3ufkDchWFpSvItkndXg=,iv:fkc2nuQrIqOrUiCqx1vK+hWa87yZgsVphSEo+pWv+Ig=,tag:TXUXHo7TdCz75wat8tK5qg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTEY1UzlkcjVlQzQzVUww
QWtvNnZXY2g5UU84aStUd3JyQnIrUGYzVzIwCmROcWdCNjZ5ZkxVaW5jSS94YTV5
ZWZZaWo0Rms2cldtYkxlV0dZSWhxMWMKLS0tIFZXNG9CKzRzQmtUNjN4UjQvcU1t
U1JmLzdFMTlvQnRFbnd4eVFNSlFsQWsKFxYi7rNAcjWUR5l8leh6e6YtrnpAj14B
KhrPUwiG4fwHMF9kWMEH05nWHQh41Vl43AYt7aEs0IO4uVqhXFghug==
-----END AGE ENCRYPTED FILE-----
- recipient: age1z0rfzzfll963msxfschxn7m65pz5p8nuz9p3h940mhhfr6uxe5mqpl4dul
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXWUJ0bW1sVjlBRVNnaU42
YmdhWEUyeStCalNQdWdybm5GdjV4TWFGYjE0CmViOGY2TlFqVW1iaVBSQ0l3L0d1
N3UzcUNlTkcrMjNUMWRJZHU1V1J0V00KLS0tIE5BdHZVak1oWnlhdy85NXhmQWhs
SEJMWFczYmhqOVkyT3JWYVI5c2I0TkEKyxl9d1C/ONI6TemSTYbyjopS4pDf7fUp
sbS77k1QzGb3EM2rD16WUu9i6mfqaaDboaO2D3Ltf4FVWdXTDQyt0w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-12T18:11:00Z"
mac: ENC[AES256_GCM,data:MK4DB60A07e5pjroITCd9RqOOnL1NRpKkQXbLPkHG/JgxR8n3PqzPs25tayBs9qogD/M3kHwLuyEiZdJOvMxqsMGqPYkrN26QVgEy3GFgAP6XfcFmBj+k0J18FNabnZNbiGMhgX+n1uwqxucRC93fcd99CItZC5DDBXbk2zl87o=,iv:apc5SjAS71dtVqGDvnUSe9phJlYG8wobu9luuo2CDOI=,tag:Bap5KTqiLGahbV/1L2YsPg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3